On 13/09/13 18:57, Nicholas A. Bellinger wrote:
On Fri, 2013-09-13 at 16:23 +0100, Benjamin ESTRABAUD wrote:
Hi!
After some search on google, it would appear that LIO doesn't support a
"per initiator (IQN) target discovery" feature like IET did with the
initiators.allow file (although it did more than just "hiding" targets
to initiators, it also refused connection from a particular initiator).
I am right with this assertion?
Hi Nicholas,
No.
By default (eg: when generate_node_acls=0) all initiators are denied
access to individual TargetName+TargetPortalGroupTag endpoints until an
explicit NodeACL based on InitiatorName is added by the target
administrator.
True.
So while when discovery authentication is disabled, any initiator can
obtain the list of targets through sendtargets discovery, but default,
they are *not* allowed to login to any target endpoint without an
explicit NodeACL, nor without per NodeACL CHAP authentication
credentials.
Ok, that's what I thought. The most important point here is that, in the
end, access to the target is restricted using CHAP (when used) or at
least with the initiator IQN. The target hiding would be more a "nice to
have" feature than an essential, security orientated one. However, if we
were to add such feature to LIO in house, would patches be accepted? Do
you think this is a relatively hard feature to implement (we have little
knowledge in the LIO internals but can learn)?
Thanks in advance!
Regards,
Ben.
--nab
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe target-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
